嵌入PowerBI并出现身份验证错误(AADSTS50076) [英] Embed PowerBI with authentication error (AADSTS50076)

问题描述

我想在我的Web应用程序中嵌入一些PowerBI报告.我有一个上一个项目的工作代码.现在，我有一个新项目，其中包含新的Active Directory和新的PowerBI.我在Active Directory中创建了一个新应用，并且我有TenantId.当我运行 AcquireTokenAsync 时，会收到错误消息.

 公共异步任务< bool>CreatePowerBIClient(){bool rtn = false;如果(客户==空){var credential = new UserPasswordCredential(SettingsModels.Username，SettingsModels.Password);var authenticationContext = new AuthenticationContext(SettingsModels.AuthorityUrl);var authenticationResult =等待authenticationContext.AcquireTokenAsync(SettingsModels.ResourceUrl，SettingsModels.ClientId，凭据)；如果(authenticationResult！= null){var tokenCredentials =新的TokenCredentials(authenticationResult.AccessToken，"Bearer")；客户端=新的PowerBIClient(新的Uri(SettingsModels.ApiUrl)，tokenCredentials);rtn = true;}}别的rtn = true;返回rtn;} 

{错误":"interaction_required"，错误描述":"AADSTS50076:到期您的管理员对配置所做的更改，或者是由于您移至新位置，则必须使用多重身份验证访问'00000009-0000-0000-c000-000000000000'.\ r \ n跟踪ID:4d6fa156-0435-4c92-9746-b0e3d6bcdb00 \ r \ n相关ID:0febdcc8-cd86-46e2-a7a5-0ec0705732bb \ r \ n时间戳:2020-09-1712:20:40Z"，"error_codes":[50076]，"timestamp":"2020-09-17"12:20:40Z"，"trace_id":"4d6fa156-0435-4c92-9746-b0e3d6bcdb00"，"correlation_id":"0febdcc8-cd86-46e2-a7a5-0ec0705732bb"，"error_id":"https://login.microsoftonline.com/error?code=50076、"suberror":basic_action"、claims":{"access_token":{capolids":{essential";:true，"values":["8abf28b1-2a8a-440a-821c-9874593bec9c"，"9f5f13cb-276e-49fe-ad14-829ce71aef09"]]}}"}:未知错误

我检查了Active Directory中应用程序设置的权限，但是找不到禁用多因素身份验证的位置.我不是该域的管理员.

我该怎么办?

更新

我正在使用最新版本的PowerBI软件包，并用建议的代码替换了代码:

 公共异步任务< bool>CreatePowerBIClient(){bool rtn = false;如果(客户==空){var authenticationContext = new AuthenticationContext(SettingsModels.AuthorityUrl);var credential = new ClientCredential(SettingsModels.ClientId，SettingsModels.ClientSecret);var authenticationResult =等待authenticationContext.AcquireTokenAsync(SettingsModels.ResourceUrl，凭证);如果(authenticationResult！= null){var tokenCredentials =新的TokenCredentials(authenticationResult.AccessToken，"Bearer")；客户端=新的PowerBIClient(新的Uri(SettingsModels.ApiUrl)，tokenCredentials);rtn = true;}}别的rtn = true;返回rtn;} 

具有这些值:

• authorityUrl:

  我不知道问题是什么.我发现此

  I want to embed some PowerBI reports in my web application. I have a working code for a previous project. Now, I have a new project with a new Active Directory and new PowerBI. I created a new app in Active Directory and I have the TenantId. When I run AcquireTokenAsync, I receive an error.

  public async Task<bool> CreatePowerBIClient()
  {
      bool rtn = false;
  
      if (client == null)
      {
          var credential = new UserPasswordCredential(SettingsModels.Username, SettingsModels.Password);
  
          var authenticationContext = new AuthenticationContext(SettingsModels.AuthorityUrl);
          var authenticationResult = await authenticationContext.AcquireTokenAsync(SettingsModels.ResourceUrl, 
                                      SettingsModels.ClientId, credential);
  
          if (authenticationResult != null)
          {
              var tokenCredentials = new TokenCredentials(authenticationResult.AccessToken, "Bearer");
              client = new PowerBIClient(new Uri(SettingsModels.ApiUrl), tokenCredentials);
              rtn = true;
          }
      }
      else
          rtn = true;
  
      return rtn;
  }
  

  {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000009-0000-0000-c000-000000000000'.\r\nTrace ID: 4d6fa156-0435-4c92-9746-b0e3d6bcdb00\r\nCorrelation ID: 0febdcc8-cd86-46e2-a7a5-0ec0705732bb\r\nTimestamp: 2020-09-17 12:20:40Z","error_codes":[50076],"timestamp":"2020-09-17 12:20:40Z","trace_id":"4d6fa156-0435-4c92-9746-b0e3d6bcdb00","correlation_id":"0febdcc8-cd86-46e2-a7a5-0ec0705732bb","error_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action","claims":"{"access_token":{"capolids":{"essential":true,"values":["8abf28b1-2a8a-440a-821c-9874593bec9c","9f5f13cb-276e-49fe-ad14-829ce71aef09"]}}}"}: Unknown error

  I checked the permission on the application settings in Active Directory but I can't find a place to disable multi-factor authentication. I'm not the admin of this domain though.

  What can I do?

  Update

  I'm using the latest version of PowerBI packages and I replaced the code with the suggested code:

  public async Task<bool> CreatePowerBIClient()
  {
      bool rtn = false;
  
      if (client == null)
      {
          var authenticationContext = new AuthenticationContext(SettingsModels.AuthorityUrl);
  
          var credential = new ClientCredential(SettingsModels.ClientId, SettingsModels.ClientSecret);
          var authenticationResult = await authenticationContext.AcquireTokenAsync(SettingsModels.ResourceUrl, credential);
  
          if (authenticationResult != null)
          {
              var tokenCredentials = new TokenCredentials(authenticationResult.AccessToken, "Bearer");
              client = new PowerBIClient(new Uri(SettingsModels.ApiUrl), tokenCredentials);
              rtn = true;
          }
      }
      else
          rtn = true;
  
      return rtn;
  }
  

  with those values:

  • authorityUrl: https://login.windows.net/common/oauth2/authorize/
  • resourceUrl: https://analysis.windows.net/powerbi/api
  • clientId and clientSecret from when I registered the app from PowerBI (also, I checked the ApplicationId in the Azure portal and it is the same)

  Now, I got an error:

  Response status code does not indicate success: 400 (BadRequest).

  [AdalServiceException: AADSTS90002: Tenant 'authorize' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.

  I don't know what the problem is. I found useful this post.

  解决方案

  From your code, I understand that you are making use of a specific account to get the token to connect to the PowerBI report.

  This error you are encountering indicates that you are passing credential of the account for which MFA is enabled. MFA is enabled at a user account level and not at the app level. To overcome this error you could use one of the below options :

  Option 1 :

  You could try seek & exemption for MFA for the account that you re using to connect to the report. Alternatively, in a lot of organization as best practice use service accounts with least perms without MFA enabled to perform automated task. You could make use of one of these accounts to connect to reports by granting them access.

  This will not require any change in your code.

  Option 2 :

  You could generate a App Only Token. You are making a App to get authenticated against Azure AD and consuming the report. MFA will be completely out of the picture.

  The App will need to be given permission to the workspace in which the report resides.

  The below snippet of the code to get App only token

  var credential = new ClientCredential(ApplicationId, ApplicationSecret);
  authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl, credential);
  

  For detailed steps on how to create and grant permissions for an app, you could refer this article.

  Note :

  This needs a setting to be enabled at PowerBI service by the PowerBI service Admin to consume reports by this method.

  这篇关于嵌入PowerBI并出现身份验证错误(AADSTS50076)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！